Sacred Heart data protectionists at work (Note critiche al Parere EDPB sul Pay or Consent)

With an excessive decision, the European Data Protection Committee is removing the basis for business models on the Internet.

The European Union has made data protection powerful. Since 2018, the General Data Protection Regulation (GDPR) has reigned supreme with exorbitant fines and resounding data subject rights. More than half of these regulations do not even deal with the question of what the digital economy is allowed to do with the often sensitive data, but instead assigns numerous powers to state bodies, the data protection supervisory authorities: from informing the public about the risks of data processing to ordering and enforcement powers.

A newly created institution has been granted special powers: the European Data Protection Board (EDPB). It coordinates the national supervisory authorities and ensures the uniform implementation of the GDPR in all member states – and recently caused quite a stir: With a position (opinion) on the topic of tracking, i.e. the tracking of our activities on the internet, for example via cookies. This tracking is used to create personal profiles, which are then used by platforms such as Google for targeted, interest-based advertising measures (so-called targeted advertising) – and which form the backbone of internet-based economic models. Advertising revenue finances “free” offers on the internet, from search engines and journalistic articles to games and social media.

Frontal attack on internet-based economic models

The “favorite opponent” of data protectionists, Facebook (Meta Group), has been trying for years to make its own business model GDPR-compliant – and has recently come under increasing pressure: possible legal bases offered by the GDPR for legal tracking are being taken out of Facebook’s hands bit by bit by the European Court of Justice (ECJ) and the EDPB. Like many German providers (and publishers), Facebook had opted for a choice model (“pay or consent” or pure subscription model), which offers interested parties the choice between consenting to tracking or purchasing a paid subscription to the services. After the supervisory authorities announced that they wanted to take a close look at the level of subscription costs, Facebook even lowered its subscription prices from 10 euros to 6 euros per month. However, this is precisely where the EDPB’s opinion published in April comes in and now demands that providers must always offer a third option, which must be (as good as) tracking-free and free of charge.

This frontal attack on internet-based economic models has only an extremely rudimentary basis in the GDPR, which only requires that consent must be “voluntary”. The extreme positioning of the EDPB is all the more courageous as public authorities require a “clear and specific” legal basis for intervening in the business of online content providers – after all, this is not about an enthusiastic maximum demand from consumer associations, but about state economic regulation. At the same time, this restricts users’ opportunities to participate – especially those with little money.

Fundamental rights are directed against the state

The ideological “superstructure” of this fundamental demand by the authorities is provided in the same paper: Personal data could not be regarded as a “tradeable commodity”. Declaring personal data to be “res extra commercium” in this way and removing it from the economic cycle is an elementary basic decision that certainly does not belong to an enforcement authority, but is the sole prerogative of the legislator. The EDPB cannot invoke justifying laws for this: As the source of its legal knowledge, it merely cites a directive issued by the EU Commission in 2019 – which, however, does not support its opinion at all: This directive merely seeks to ensure that in business models where “the consumer does not pay a price”, consumers are “entitled to contractual remedies” – no more, no less. The GDPR does not provide for such restrictions on the marketability of personal data either, but rather guarantees the “free movement” of this data “within the Union”. The ECJ also recently expressed no doubts about a “pay or consent” model (in the “Bundeskartellamt” decision).

The EDPB’s argument also misjudges the purpose of fundamental rights: They are not directed against companies, but against the state – and they do not include the use of third-party services without consideration. The EDPB thus undermines essential parts of internet-based business models. And the committee is developing all of this away from the public eye and without any opportunity for those affected to participate.

Overall, with this opinion, the EDPB is therefore leaving the realm of comprehensible interpretation of the GDPR and is acting in an eminently legal-political manner without legal authority. At the same time, the EDPB is clearly contradicting the EU’s data strategy – particularly with regard to the Data Act and the European Health Data Space. It is therefore no wonder that Thomas Fuchs, Data Protection Commissioner of the Hanseatic City of Hamburg and involved in the preparatory work for the opinion, criticized that the decision taken was “no longer his” – although this did not prevent the Federal Commissioner from approving the EDPB. Apparently, the Sacred Heart data protectionists in the EDPB have taken over – it remains to be seen whether the ECJ’s lawyers will catch them again.